You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by gi...@git.apache.org on 2017/09/25 21:46:39 UTC
[GitHub] tianon commented on a change in pull request #28: Update with feedback from @yosifkit
tianon commented on a change in pull request #28: Update with feedback from @yosifkit
URL: https://github.com/apache/couchdb-docker/pull/28#discussion_r140907707
##########
File path: 1.6.1/Dockerfile
##########
@@ -28,19 +28,27 @@ RUN apt-get update -y && apt-get install -y --no-install-recommends \
libnspr4-0d \
&& rm -rf /var/lib/apt/lists/*
-# grab gosu for easy step-down from root and tini for signal handling
-RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
- && curl -o /usr/local/bin/gosu -fSL "https://github.com/tianon/gosu/releases/download/1.7/gosu-$(dpkg --print-architecture)" \
- && curl -o /usr/local/bin/gosu.asc -fSL "https://github.com/tianon/gosu/releases/download/1.7/gosu-$(dpkg --print-architecture).asc" \
- && gpg --verify /usr/local/bin/gosu.asc \
- && rm /usr/local/bin/gosu.asc \
- && chmod +x /usr/local/bin/gosu \
- && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 6380DC428747F6C393FEACA59A84159D7001A4E5 \
- && curl -o /usr/local/bin/tini -fSL "https://github.com/krallin/tini/releases/download/v0.14.0/tini" \
- && curl -o /usr/local/bin/tini.asc -fSL "https://github.com/krallin/tini/releases/download/v0.14.0/tini.asc" \
- && gpg --verify /usr/local/bin/tini.asc \
- && rm /usr/local/bin/tini.asc \
- && chmod +x /usr/local/bin/tini
+# grab gosu for easy step-down from root
+ENV GOSU_VERSION 1.10
+RUN set -x \
+ && apt-get update && apt-get install -y --no-install-recommends ca-certificates wget && rm -rf /var/lib/apt/lists/* \
+ && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \
+ && wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \
+ && export GNUPGHOME="$(mktemp -d)" \
+ && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
+ && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
+ && rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc \
+ && chmod +x /usr/local/bin/gosu \
+ && gosu nobody true \
+&& apt-get purge -y --auto-remove wget
+
+# grab tini for signal handling
+ENV TINI_VERSION v0.16.1
+ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /usr/local/bin/tini
+ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini.asc /usr/local/bin/tini.asc
Review comment:
Why did this switch to use `ADD` with a remote URL?
(see https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#add-or-copy)
There are several problems with this approach. When using `ADD` in this way, `/usr/local/bin/tini` has to be downloaded _every_ time `docker build` is run, regardless of whether it's going to match local build cache. Additionally, this will add double `tini` to the end image (due to the `chmod +x` which happens in the following layer).
I'd recommend simply moving this back up into the `RUN` line which is downloading `gosu` (where `wget` is already installed and removed). Also, `curl` is installed in the first `RUN` line of this image, so it might be worth either removing that (and adding `curl` or `wget` down below in the `buildDeps` variable) or simply using `curl` instead when downloading `gosu`/`tini`.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services